We Wuz Hacked
Timing is everything. My Samsung NC10 netbook had a massive fail yesterday, which left me unable to access this blog (or, indeed, the internet), and some charming individuals seized this opportunity to hack into Twittercism and add some rather nasty exploits.
I couldn’t get the blog or (more worrying) the admin panel to load at all. Wherever I went, I just got an error message.
Even better, Google decided to mark the domain as a malware risk, which obviously has some impact on traffic.
Fortunately, the exploit, which attempted to load a file from the website c8t.at, was fairly easy to track down, and I removed it manually via FTP.
If you’re a WordPress user impacted by this issue, I recommend two courses of action:
- Check your default-filters.php, default-widgets.php and pluggable.php files (all are located in the wp-includes folder), as well as the main index.php file in your theme. I had a single line of code at the very bottom of all of these files (which starts with
<iframe…and linked to a file at c8t.at). Remove it (carefully), save and re-upload your file(s). - Always make sure you upgrade to the latest version of WordPress. I was using WordPress 2.8.3, which is only a single upgrade behind the current version (2.8.4), but it was enough to allow others to have a sneaky in.
Despite Google’s concerns, the exploit never actually loaded. It simply presented an error message. So, if you happened to visit Twittercism during this period, don’t worry. Nothing bad happened. But the sites (c8t.at and c8t.ru) are known to Google and the warning was legitimate, if a little excitable.
Of course, I’m certainly not in bad company with my blog being hacked. But it’s a lesson learned. Always make sure your online security is top-notch, as the crap has a nasty habit of hitting the fan at exactly the wrong time.
Like this post? Subscribe to my RSS feed and get loads more!
Loading ...
Thanks Shéa for the head-up here… I operate BlogFloggers.com which is actually based on WordPress MU, the multi-user version, so I’m wondering what impact or relevance this exploit has for that particular version of WordPress. You have gotten me to sit up and take notice of my particular situation. My question is, how did the hackers get the code into those PHP files? Any further words of advice? I guess I should read up on WordPress security….
P.S. I just noticed something… don’t know what it is, but it seemed to appear after I started typing this. There is a check-box with a line of red text next to it that says “Oh no! Comluv had an error with your feed, see message below! ” and it is a hot link to http://twittercism.com/we-wuz-hacked/0 which I have NOT clicked to see where it might go… in case of malware. Below that line, there is a check-box that says “Notify me of followup comments via e-mail” which appears normal
Don’t worry – Comluv is a plugin (Comment Luv) that scans the blogs of my commentators (such as yourself) and links to their latest article where available. If it isn’t (for whatever reason), the plugin gives that error. Not sure why it couldn’t find your blog, but sometimes these things happen.
Yeah I noticed the wordpress update pushed out Yesterday and shortly there after some mighty weird trackbacks that made no sense. This sorta explains it. The BlackHat folks say wordpress is very hackable. Unfortunately I have yet to find anything with all the features to switch to.
.-= Skunk´s last blog ..Twitter Updates for 2009-08-15 =-.
Hello There
any idea what i can do to track down the problem ?
im in deep trouble as well with my website, its listed like you as a bad website due to that c8t.at malware…my problem is that i dont run wordpress on the server
also how did you manage to get your site un-listed so fast?
please help me
+
S199
You’ll need to work through all your files to locate the
<iframe...code and remove it. As said, for me it was at the very bottom of the affected files.As for Google, as soon as I’d removed the problem they removed the warning.
ok thanks a lot
keep up the good work guys.
++
S199
i dont think its a remote attack, looks more like our computer are infected :/ this is suggested on several sites.
i found a running process on startup called ikowin32.exe, its cleaned now. Can u check using hijackthis if this process is running on ur computer too ? maybe its the source of the problem
It was absolutely a remote attack for me, as it exploited a hole in WordPress 2.8.3 (which has now been rectified thanks to the upgrade to 2.8.4). Have scanned my computer (I use Spybot) and there’s nothing locally.
Glad you got it taken care of.
damn i feel so bad now, i cleaned the website this morning and i checked 5min ago its infected again with that iframe thing, i feel so bad now daaamn…nobody seems to figure out where this infection is coming from. :/
I was having latest version 2.8.4 and even same issue happen ;(
Now i had shifted to 1 day before version and issue seems fixed.
But how we can save our site????
Our all latest update we have to get done again those content we added.
.-= John´s last blog ..RapidLash =-.